| Index: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| diff --git a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| index 9fd81bcfae958dd44beee4ba363bbb604060917e..05a730259314f3678b87e44083ca3281e2712e4a 100644
|
| --- a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| +++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
|
| @@ -30,10 +30,13 @@
|
| #include "sandbox/linux/services/credentials.h"
|
| #include "sandbox/linux/services/namespace_sandbox.h"
|
| #include "sandbox/linux/services/proc_util.h"
|
| -#include "sandbox/linux/services/resource_limits.h"
|
| #include "sandbox/linux/services/thread_helpers.h"
|
| #include "sandbox/linux/suid/client/setuid_sandbox_client.h"
|
|
|
| +#if !defined(OS_NACL_NONSFI)
|
| +#include "sandbox/linux/services/resource_limits.h"
|
| +#endif
|
| +
|
| namespace nacl {
|
|
|
| namespace {
|
| @@ -63,6 +66,10 @@ bool MaybeSetProcessNonDumpable() {
|
| return prctl(PR_GET_DUMPABLE) == 0;
|
| }
|
|
|
| +#if !defined(OS_NACL_NONSFI)
|
| +// Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
|
| +// This function is used only in InitializeLayerTwoSandbox().
|
| +// TODO(hidehiko): Enable the sandbox.
|
| void RestrictAddressSpaceUsage() {
|
| #if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \
|
| defined(THREAD_SANITIZER)
|
| @@ -93,6 +100,7 @@ void RestrictAddressSpaceUsage() {
|
| #endif
|
| CHECK(sandbox::ResourceLimits::Lower(RLIMIT_AS, kNewAddressSpaceLimit));
|
| }
|
| +#endif // !OS_NACL_NONSFI
|
|
|
| } // namespace
|
|
|
| @@ -137,7 +145,11 @@ void NaClSandbox::InitializeLayerOneSandbox() {
|
| CHECK(MaybeSetProcessNonDumpable());
|
| CHECK(IsSandboxed());
|
| layer_one_enabled_ = true;
|
| - } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
|
| + }
|
| + // Currently namespace sandbox is not yet supported on nacl_helper_nonsfi.
|
| + // TODO(hidehiko): Enable the sandbox.
|
| +#if !defined(OS_NACL_NONSFI)
|
| + else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
|
| CHECK(sandbox::Credentials::MoveToNewUserNS());
|
| // This relies on SealLayerOneSandbox() to be called later since this
|
| // class is keeping a file descriptor to /proc/.
|
| @@ -146,8 +158,14 @@ void NaClSandbox::InitializeLayerOneSandbox() {
|
| CHECK(IsSandboxed());
|
| layer_one_enabled_ = true;
|
| }
|
| +#endif // !OS_NACL_NONSFI
|
| }
|
|
|
| +#if !defined(OS_NACL_NONSFI)
|
| +// Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
|
| +// TODO(hidehiko): Enable the sandbox.
|
| +// Note that CheckForExpectedNumberOfOpenFds() is just referred from
|
| +// InitializeLayerTwoSandbox(). Enable them together.
|
| void NaClSandbox::CheckForExpectedNumberOfOpenFds() {
|
| // We expect to have the following FDs open:
|
| // 1-3) stdin, stdout, stderr.
|
| @@ -188,6 +206,7 @@ void NaClSandbox::InitializeLayerTwoSandbox(bool uses_nonsfi_mode) {
|
| layer_two_enabled_ = nacl::InitializeBPFSandbox(proc_fd_.Pass());
|
| }
|
| }
|
| +#endif // OS_NACL_NONSFI
|
|
|
| void NaClSandbox::SealLayerOneSandbox() {
|
| if (proc_fd_.is_valid() && !layer_two_enabled_) {
|
| @@ -219,6 +238,9 @@ void NaClSandbox::CheckSandboxingStateWithPolicy() {
|
| LOG(FATAL) << kNoSuidMsg << kItIsNotAllowedMsg;
|
| }
|
|
|
| +#if !defined(OS_NACL_NONSFI)
|
| + // Currently Layer-two sandbox is not yet supported on nacl_helper_nonsfi.
|
| + // TODO(hidehiko): Enable the sandbox.
|
| if (!layer_two_enabled_) {
|
| static const char kNoBpfMsg[] =
|
| "The seccomp-bpf sandbox is not engaged for NaCl:";
|
| @@ -227,6 +249,7 @@ void NaClSandbox::CheckSandboxingStateWithPolicy() {
|
| else
|
| LOG(FATAL) << kNoBpfMsg << kItIsNotAllowedMsg;
|
| }
|
| +#endif
|
| }
|
|
|
| } // namespace nacl
|
|
|
Chromium Code Reviews
Issue 888903004:
Non-SFI mode:Suid sandbox. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master